On Wed, Jul 08, 2026 at 01:25:50PM -0700, Benjamin Kaduk wrote:
> On Wed, Jul 08, 2026 at 10:06:07PM +0200, Tanja Lange wrote:
> > 
> > Dear Nick,
> > In ECDH when you get aG from the server and compute the shared b(aG) you 
> > don't
> > learn anything about a.
> > 
> > In ML-KEM the server encapsulates to your ephemeral public key starting from
> > some seed m. Decapsulating recovers the seed (and needs to, due to FO).
> > 
> > In the scenario that the RNG is predictable there is no difference and an
> > outside attacker gets the shared key in either scenario. Hashing the RNG 
> > output
> > before using it is at best a band aid.
> > 
> > In the Dual-EC scenario there is a big difference because ML-KEM gives you 
> > raw
> > RNG output from the server any time you open a connection to it. 
> 
> I think it may be important to highlight the distinction between the safety
> of the TLS connection and the safety of a given endpoint, especially in light
> of Dual-EC type scenarios.  It seems like the question of whether 'm' is 
> hashed
> is really about the latter and not the former.
> 
> That is to say, the construction of the TLS handshake, with both parties
> contributing randomness that's included into the handshake transcript, gives a
> strong key for the connection as long as at least one participant is honest 
> and
> has a strong RNG.  However, in a scenario where one endpoint has a
> Dual-EC-style compromised RNG, where seeing enough of its output would allow 
> an
> attacker to reconstruct RNG internal state and predict subsequent output,
> exposing a lot of RNG output either in plaintext on the wire or from server to
> client (since the client initiates connections, exposure from client to server
> is a less severe vector) can lead to risk to that endpoint's security, not 
> just
> on this connection but on future connections as well.  In the scenario under
> discussion here, an unhashed 'm' would be exposed to the client, thus 
> potentially
> exposing server RNG state to the client but not to a passive observer.
> 
> However ... is it really plausible that the ML-KEM 'm' would use a compromised
> RNG but not the (plaintext on the wire) ServerHello.Random?  If they use the
> same RNG then it seems the incremental risk to a server with compromised RNG
> from using ML-KEM is zero, because ServerHello.Random already leads to an
> equivalent exposure (of 32 bytes of RNG output).
> 
See, e.g., Botan
        https://github.com/randombit/botan/blob/master/src/lib/tls/tls_policy.h

      /**
       * Hash the RNG output for the client/server hello random. This is a
       * pre-caution
       * to avoid writing "raw" RNG output to the wire.
       *
       * There's not normally a reason to disable this, except when
       * deterministic output
       * is required for testing.
       *
       * Default: true
       */

their ML-KEM version, true to spec, does not hash the RNG
        
https://github.com/randombit/botan/blob/master/src/lib/pubkey/kyber/ml_kem/ml_kem_impl.cpp

All the best
        Tanja

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to